A public key infrastructure (PKI) is a collection of methods, rules, policies, and roles that are required to generate, manage, provide, employ, and rescind digital certificates; it’s also responsible for the management of public key encryption. A PKI aids in securing the transfer of data over various network infrastructures, such as online banking, e-commerce, and other client-server architectures. With a PKI, a network engineer forms and ensures the maintenance of a credible networking territory by encrypting the traffic and by using digital certificates efficiently. Gone are the times when a simple password could perform adequate authentication and security; these days, a more concrete proof of identity is required before transfer of information can be allowed between two parties.

For an information security professional, the knowledge of PKI is absolutely essential. PKI security is hence a component of the CISSP credential that can’t be overlooked. The very basic concepts of PKI and cryptographic applications are a part of the CISSP CBK. Most of the CISSP guide books and reference material contain enough information regarding the pertinent topic to make an applicant substantially informed about it. The CISSP for Dummies book, for example, has a complete chapter on cryptography that elaborates the concepts in great detail.

PKI FOR CISSP

If you want to know all there is about PKI security in order to prepare for your CISSP exam, then you need to go through the following topics, at the very least:

The four basic components:

Certification authority: The certification authority (CA) has all the software, hardware, and personnel required to administer the PKI. All the responsibilities including certificate issuance, maintaining certificate revocation lists (CRLs) and archives, etc., fall under the jurisdiction of the CA.

Registration authority: Similarly, the registration authority(RA) has the personnel, hardware, and software required for PKI administration. The RA verifies the contents of the digital certificates for the certification authority.

Repository: This system is responsible for receiving the certificate revocation lists and the certificates from the CA and distributing them to the pertinent parties.

Archive: The archive stores the information that is archived by the CA.

Key management:

Awarding the keys and letting the encrypted data travel between two authorized parties isn’t enough. Managing and safeguarding the encryption keys is also substantially important. The most important key management functions are (but not entirely limited to):

Key generation: The key generation process should take place on a secure system and the generation scheme should not give away any hints about the contents of the key.

Key distribution: The key distribution process is also of paramount importance because, if not properly managed, it can lead to severe security loopholes.

Key installation: Most of the time, key installation is a manual process. They key should not get compromised during the installation and should also not be entered incorrectly.

Key storage: Salted hashes of keys are normally stored on a secure system.

Key change: Keys should be changed periodically to ensure the security and sanctity of the system.

Key disposal: When the keys are about to be replaced, they should be completely removed from the system to ensure that they are not used by any user ever again.

The concept of public and private keys:

However complex some people might want to make it sound, the concept of public and private keys is fairly simple. From the various PKI security components, these two keys are the most important. Each of them is a fairly long, randomly generated alphanumeric string. Below is an example of a public key:

As the name suggests, a public key is available to the general public and, conversely, a private key is only available to the authorized party. The pair of random keys are normally related mathematically; some data encrypted via a public key can only be decrypted by its corresponding private key and vice versa. Let’s take an example to further elaborate the matter:

A person Alice wants to send a message to a person Bob. To ensure the security of the transfer, Alice encrypts the data using Bob’s public key. Now, even though everybody else knows Bob’s public key too, only Bob can read the message meant for him because only he possesses his own private key.

The RSA cryptosystem (more on this below).

The key escrow and key recovery process.

The concept of digital signatures (more on this below).

The various network security protocols (SSL, TLS, WTLS, etc.)

Various E-mail security applications (MOSS, PEMM, etc.)

THE RSA CRYPTOSYSTEM

RSA became one of the first public-key cryptosystem when it was introduced in 1978 by Ron Rivest, Adi Shamir, and Leonard Adelman (the initial letters of their last names led to the name RSA) and it has been in worldwide use ever since. The concept of public-private keys, as discussed above, is used in RSA. Many experts have made RSA a subject of their cryptanalysis but so far not many serious flaws have been found. RSA finds its asymmetry from the fact that it’s practically difficult to factor two huge prime numbers (also known as the factoring problem).

FINDING THE ENCRYPTION/DECRYPTION FUNCTIONS:

The encryption function E can be written as:

E(kPUB, P) = E(e, n, P) = P^e modn ——- (1)

The decryption function D can be written as:

D(kPRIV,C) = D(d, n, C) = C^d modn ——- (2)

Effectively D and E are the same here. We can write them formally as:

E(k, n, m) = D(k, n, m) = m^k modn

Here k is any key and m is any message. However, for the above equations (1) and (2) to hold, we have to find special d, e, and n values.

To find d, e, and n, we can use the following process:

Choose two prime numbers (say p and q). Both the numbers should be large (100 digits at the very least).

Find out n = p * q (this number should come out to be at-least 200 digits).

Now compute N = (p-1) * (q-1).

Now choose e such that e < N and e is relatively prime to N (i.e., (gcd(e,N)=1).

Choose d as the inverse of e modulo N.

Store the values of d, e, and n while discarding p, q and N.

Now to encode any given text, we can use the following relation: C= P^e mod n. To perform the decoding, P = C^d mod n can be used.

HASH FUNCTIONS

A hash function is used to ensure the authenticity and integrity of a message. It’s also one of the most important PKI security concepts that every network security professional should be completely well-versed in. By passing through a hash function, we achieve the mapping of arbitrary data (of arbitrary size) to a bit string (of a fixed size). Of the many hash functions in use these days, these are the ones that you need to know about while applying for CISSP:

The SHA family: Similar to the MD family, the SHA family (SHA-1, SHA-2, SHA-3 etc.) also comprises one-way hash functions.

HMAC (for hashed message authentication code): It is able to further extend the security provided by the SHA-1 and the MD5 algorithms.

CISSP Instant Pricing- Resources

DIGITAL SIGNATURES

Digital signatures form the core of PKI security services and are basically tools used to ascertain the sanctity and security of the whole network architecture. Via a correct digital signature, a recipient is able to believe that the message has actually been sent by a known sender; this aspect of it is called authentication. It also provides non-repudiation (ensuring the fact that the sender can’t deny sending the message) and integrity (the message didn’t get altered before reaching the recipient). If you are preparing for the CISSP exam, you need to know about the following additional concepts pertaining to digital signatures:

Message digests

One-way hashing functions

Digital signature revocation

Digital signature distribution

Digital signature revocation

You can find more information on these topics in any CISSP preparation book. Take a look at some of our preparation guides for more information. (Add hyperlinks to the preparation articles here.)

PKI VULNERABILITIES:

There are also some PKI security vulnerabilities that need to be learned about. Here we mention some of the possible attacks that can take place on a PKI subsystem:

Attack on the certification authority:

The certification authority is the backbone of the security enforcing system because it provides, maintains records of, and periodically updates the digital certificates of the entities in the network. Even though an attack on the CA is hard to conceive, yet it could be achieved by sophisticated man-in-the-middle intrusion.

Theft of issued certificates:

There have been incidents where issued (and active) certificates have been stolen, leading to grave repercussions. To avoid this, multi-level authentication and authorization infrastructures should be implemented.

Theft of issued code signing digital certificates:

Digital certificates are the keys that protect the important resources from being accessed by unauthorized personnel and their security needs to be ensured at all costs. However, if enough care is not taken, they too can be stolen.

Denial of service (DOS) attacks:

DOS attacks prevent the authorized personnel from accessing the resources that are important for operating the system. More information can be obtained from here.

FINAL WORD

Ensuring the security of online transactions is becoming increasingly difficult and hence increasingly important. The knowledge of PKI for an information security professional is of great importance; hence it forms a vital part of the CISSP credential CBK. This article shares only basic information regarding the concepts that have to be further explored in order to be adequately acquainted with the PKI model. The various study guides and reference books share detailed information on the matter and it’s recommended for every aspirant to develop a deep understanding of the topic before attempting the exam. You can find the recommended study resources and material from our dedicated CISSP resources article.

Job Titles

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam